Verification failed for URI
Cody Carmichael
ccarmichael at voalte.com
Thu Aug 2 17:39:15 EDT 2018
I know what's happening but I don't know why. I'm new to stuff like signing
and encryption and the shibboleth docs don't explicitly say WHICH
certificate you're supposed to point to with the certificateFile attribute
of the SignatureValidation filter. Here is my Metadata provider
configuration:
<MetadataProvider id="HTTPMetadataCRC"
> xsi:type="DynamicHTTPMetadataProvider">
>
> <MetadataFilter xsi:type="SignatureValidation"
> requireSignedRoot="true"
> certificateFile="%{idp.home}/credentials/cert.pem"/>
> </MetadataProvider>
The cert.pem file is the SP's public key. The SAML request sent from the SP
contains that same public key along with a DigestValue. But in the logs I
have the following:
WARN [org.apache.xml.security.signature.Reference:791] - Verification
> failed for URI "#_someLongString"
> WARN [org.apache.xml.security.signature.Reference:792] - Expected Digest:
> ABC123=
> WARN [org.apache.xml.security.signature.Reference:793] - Actual Digest:
> XYZ456=
> ERROR
> [org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter:420]
> - Signature trust establishment failed for metadata entry
> https://mySP.net/rest/v2/sso/shibboleth/metadata
So, what specific cert file is the certificateFile attribute supposed to be
pointing to? If it's supposed to be the SP's public key, why would the
DigestValues be different?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180802/11aba6db/attachment.html>
More information about the users
mailing list